OpenSSL-based HTTPS service configuration

OpenSSL-based HTTPS service configuration

CA Server: 192.168.75.131

Httpd server: 192.168.75.128

Operating system version: RedHat 6.5 (x_86_64)

1. Install openssl

1. Source Code installation:

Openssl: wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz

# Tar xvf openssl-1.0.0a.tar.gz

# Cd openssl-1.0.0a

#./Config -- prefix =/usr/local/openssl

# Make & make install

2. RPM Installation

Yum install openssl-devel-y

Ii. install Apache

1. Source Code installation httpd reference: Compile and install Apache (httpd-2.4.18)

-- Enable-so # dynamic module support

-- Enable-ssl # enable ssl module support

-- With-ssl =/usr/local/openssl: Use openssl of the compiled version. If this parameter is not specified, use openssl of the rpm version.

Compilation parameters:

. /Configure -- prefix =/usr/local/apache -- enable-so -- enable-ssl -- enable-cgi -- enable-rewrite -- with-zlib -- with-pcre =/usr/local /pcre -- with-apr =/usr/local/apr -- with-apr-util =/usr/local/apr-util -- enable-mpms-shared = all -- with-mpm = event -- enable-proxy-http -- enable-proxy-ajp -- enable-proxy-balancer -- enable-lbmethod-heartbeat -- enable-slotmem-shm -- enable-slotmem-plain -- enable-watchdog -- with-ssl =/usr/local/openssl

2. Install httpd In the RPM package

Mod_ssl module needs to be installed

# Yum install httpd mod_ssl-y

Iii. Self-signed certificate generated by the CA Server (on the CA Server 192.168.75.131)

# Yum install openssl-y

# Cd/etc/pki/CA/

# (Umask 077; openssl genrsa-out private/cakey. pem 2048) # generate a private key

# Ll private/

Total 4

-Rw -------. 1 root 1679 Feb 18 :49 cakey. pem

There are many options to fill in when generating self-signed documents. If you do not want to fill in, you can edit the configuration file and change the default value.

# Cd ../tls/

# Diff openssl. cnf openssl. cnf. orig

130c130

<CountryName_default = CN

---

> CountryName_default = XX

135c135

<StateOrProvinceName_default = GuangDong

---

> # StateOrProvinceName_default = Default Province

138c138

<LocalityName_default = ShenZhen

---

> LocalityName_default = Default City

141c141

<0. organizationName_default = SmallFish Company Ltd

---

> 0. organizationName_default = Default Company Ltd

148c148

<OrganizationalUnitName_default = Tech

---

> # OrganizationalUnitName_default =

# Vim ../tls/openssl. cnf # ensure that the dir is in the/etc/pki/CA directory.

[CA_default]

Dir =/etc/pki/CA # Where everything is kept

# Openssl req-new-x509-key private/cakey. pem-out cacert. pem-days 3665 # generate a self-signed certificate for yourself based on the private key. This certificate can be used by the user

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [GuangDong]:

Locality Name (eg, city) [ShenZhen]:

Organization Name (eg, company) [SmallFish Company Ltd]: # This must also be the Name of a company issued to someone else.

Organizational Unit Name (eg, section) [Tech]:

Common Name (eg, your name or your server's hostname) []: ca.smallfish.com # send your own certificate

Email Address []: admin@smallfish.com

# Cd/etc/pki/CA/

# Touch index.txt

# Echo 00> serial

# Tree.

.

── Cacert. pem

── Certs

├ ── Crl

── Index.txt

── Newcerts

── Private

│ ── Cakey. pem

── Serial

4. Generate a certificate issuance request on the web server (on 192.168.75.128)

# Cd/usr/local/apache/conf

# Mkdir ssl

# Cd ssl/

# (Umask 077; openssl genrsa 1024> httpd. key) # generate a key

Generating RSA private key, 1024 bit long modulus

... ++

...

E is 65537 (0x10001)

# Ll

Total 4

-Rw -------. 1 root 887 Feb 8 :40 httpd. key

# Openssl req-new-key httpd. key-out httpd. csr # generate a certificate application request

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]: CN # The information must be consistent with that of the CA.

State or Province Name (full name) []: GuangDong # The information must be consistent with that of the CA.

Locality Name (eg, city) [Default City]: ShenZhen # The information must be consistent with that of the CA.

Organization Name (eg, company) [Default Company Ltd]: SmallFish Company Ltd # The same company must be entered in the CA certificate. It is better to report an error when generating the Company certificate later.

Organizational Unit Name (eg, section) []: Tech

Common Name (eg, your name or your server's hostname) []: www.vip.com

Email Address []: www.vip.com

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

[Root @ master ssl] #

# Scp httpd. csr 192.168.75.131:/tmp # use a USB flash drive to copy and send emails.

5. the CA server issues a certificate (on the CA Server: 192.168.75.131)

 

# Openssl ca-in/tmp/httpd. csr-out/tmp/httpd. crt-days 3650 # CA signs the certificate. If the company name is different, an error is returned.

Using configuration from/etc/pki/tls/openssl. cnf

Check that the request matches the signature

Signature OK

The organizationName field needed to be the same in

CA certificate (SmallFish Company Ltd) and the request (vip Ltd)

# Openssl ca-in/tmp/httpd. csr-out/tmp/httpd. crt-days 3650 # CA sign the certificate

Using configuration from/etc/pki/tls/openssl. cnf

Check that the request matches the signature

Signature OK

Certificate Details:

Serial Number: 0 (0x0)

Validity

Not Before: Feb 18 10:10:26 2016 GMT

Not After: Feb 15 10:10:26 2026 GMT

Subject:

CountryName = CN

StateOrProvinceName = GuangDong

OrganizationName = SmallFish Company Ltd

OrganizationalUnitName = Tech

CommonName = www.vip.com

EmailAddress = www.vip.com

X509v3 extensions:

X509v3 Basic Constraints:

CA: FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

68: 4F: A6: 95: E8: 65: 0D: FE: 9E: E2: 81: 31: 8A: AF: 69: 3A: 4C: 43: E0: 94

X509v3 Authority Key Identifier:

Keyid: AA: 27: 66: F1: 0F: 7A: 7C: CA: CD: 85: 95: 1F: D5: 92: 5A: 36: 23: FE: 1A: 36

Certificate is to be certified until Feb 15 10:10:26 2026 GMT (3650 days)

Sign the certificate? [Y/n]: y

1 out of 1 certificate requests certified, commit? [Y/n] y

Write out database with 1 new entries

Data Base Updated

# Cat index.txt

V2602151026z00unknown/C = CN/ST = GuangDong/O = SmallFish Company Ltd/OU = Tech/CN = www.vip.com/emailAddress=www.vip.com

# Cat serial

01

# Tree.

.

── Cacert. pem

── Certs

├ ── Crl

── Index.txt

── Index.txt. attr

── Index.txt. old

── Newcerts

│ ── 00.pem

── Private

│ ── Cakey. pem

── Serial

── Serial. old

4 directories, 8 files

# Scp/tmp/httpd. crt 192.168.75.128:/usr/local/apache/conf/ssl # copy the certificate to the Web server

# Rm/tmp/httpd. crt/tmp/httpd. csr # After the CA server is created, you can delete the web server certificate.

6. Configure openssl on the web server (on 192.168.75.128)

Vim/usr/local/apache/conf/extra/httpd-ssl.conf

<VirtualHost _ default _: 443>

DocumentRoot "/usr/local/apache/htdocs" # The file directory of port 80 is the same, otherwise it is different from the content accessed by port 80.

ServerName www.vip.com: 443

ServerAdmin admin@vip.com

ErrorLog "/usr/local/apache/logs/error_log"

TransferLog "/usr/local/apache/logs/access_log"

SSLEngine on

SSLCertificateFile "/usr/local/apache/conf/ssl/httpd. crt"

SSLCertificateKeyFile "/usr/local/apache/conf/ssl/httpd. key"

# Vim/usr/local/apache/conf/httpd. conf # Open the comment below

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

LoadModule ssl_module modules/mod_ssl.so

LoadModule slotmem_shm_module modules/mod_slotmem_shm.so

Include conf/extra/httpd-ssl.conf

#/Usr/local/apache/bin/httpd-t

Syntax OK

# Httpd-M | grep ssl_mod # Check whether ssl_module is supported

Ssl_module (shared)

#/Usr/local/apache/bin/apachectl start

# Lsof-I: 80

Command pid user fd type device size/OFF NODE NAME

Httpd 13445 root 4u IPv6 349321 0t0 TCP *: http (LISTEN)

Httpd 13446 daemon 4u IPv6 349321 0t0 TCP *: http (LISTEN)

Httpd 13447 daemon 4u IPv6 349321 0t0 TCP *: http (LISTEN)

Httpd 13448 daemon 4u IPv6 349321 0t0 TCP *: http (LISTEN)

# Lsof-I: 443

Command pid user fd type device size/OFF NODE NAME

Httpd 13445 root 6u IPv6 349329 0t0 TCP *: https (LISTEN)

Httpd 13446 daemon 6u IPv6 349329 0t0 TCP *: https (LISTEN)

Httpd 13447 daemon 6u IPv6 349329 0t0 TCP *: https (LISTEN)

Httpd 13448 daemon 6u IPv6 349329 0t0 TCP *: https (LISTEN)

VII. Access Verification

1. Add

C: \ WINDOWS \ System32 \ drivers \ etc \ hosts

192.168.85.128 www.vip.com

2. Install the certificate

Copy the certificate (/etc/pki/CA/cacert. pem) from the CA server to the client, rename it as cacert. crt, double-click to run the installation, import it to the browser, and open it in the browser.

3. Access:

Https://www.vip.com/

Http://www.vip.com/

8. Problems Encountered

Question 1:

#/Usr/local/apache2/bin/apachectl start

AH00526: Syntax error on line 51 of/usr/local/apache2/conf/extra/httpd-ssl.conf:

Invalid command 'sslcipherset', perhaps misspelled or defined by a module not supported in the server configuration

Solution 1:

# Vi/usr/local/apache2/conf/httpd. conf

LoadModule ssl_module modules/mod_ssl.so

Question 2:

#/Usr/local/apache2/bin/apachectl start

AH00526: Syntax error on line 76 of/usr/local/apache2/conf/extra/httpd-ssl.conf:

SSLSessionCache: 'shmcb' session cache not supported (known names:). Maybe you need to load the appropriate socache module (mod_socache_shmcb ?).

Solution 2:

# Vi/usr/local/apache2/conf/httpd. conf

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

Question 3:

The countryName field needed to be the same in

CA certificate (cn) and the request (sh)

Solution 3: the country name of the certificate. The province name must be the same.

9. Note:

SSL sessions cannot be distinguished based on host names. The server has only one IP address and can only provide ssl functions for one host. If there are many domain name-based virtual hosts, ssl can only be provided to one of the virtual hosts.

For more information about OpenSSL, see the following links:

Use OpenSSL command line to build CA and Certificate

Install OpenSSL in Ubuntu

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

Use OpenSSL to generate certificates in Linux

Use OpenSSL to sign multi-domain certificates

Add a custom encryption algorithm to OpenSSL

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address: